How to Detect RYUK Ransomware on Your Network

What is RYUK Ransomware?

An advisory from the US based Department of Health and Human Services notes that attacks involving RYUK appear to be targeted. In fact, its encryption scheme is intentionally built for small-scale operations, so that only crucial assets and resources are infected in each targeted network by a manual distribution from the attackers.

Search engines such as the Shodan allow cyber criminals to find networks where Remote Desktop Protocol, or RDP for short is open. A tool such as NLBrute can then be used to try a whole range of RDP passwords. Make sure you are constantly checking inbound traffic on your network for any suspicious activity.

Targeted companies are selected one at a time, either via spear-phishing emails or Internet-exposed, poorly secured RDP connections. RDP allows remote use, even of fully-graphical applications that can’t be scripted or operated via a command prompt.

RYUK uses an AES-RSA combo encryption that’s usually undecryptable, unless the RYUK team made mistakes in its implementation. The encryption method that RYUK uses is more or less identical to that of the Hermes malware.

Previous versions of the Hermes ransomware have been an on-and-off threat that surfaces at random intervals with a mass spam campaign. The new RYUK ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect active Ransomware, like RYUK, on your network. One of the easiest ways to do this is to monitor network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place, you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes information such as filenames, actions and usernames.

As well as monitoring traffic associated with your file servers, we also recommend that you monitor all traffic at your network perimeter (just inside your firewall). Ransomware needs to communicate with the outside world, so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like RYUK.

The image below shows some of the things that you should watch out for when it comes to RYUK Ransomware.

1. Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like RYUK strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames exceed a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

Use LANGuardian’s Search by File/Folder Name report to filter any file with the .RYK extension.

3. Check network shares for ransom notes

When files are encrypted on your network by RYUK Ransomware it will leave a ransom note in the format of a text file. The ransom message within “RyukReadMe.txt” is from RYUK developers who inform victims that all data has been encrypted using a strong cryptography algorithm. They state that encrypted backups and shadow copies have also been encrypted.

RYUK ransomware developers also state that only they can provide victims with a decryption tool, and no other tools are capable of decryption. In summary, they make it clear that no other party can help with RYUK infected computers. These cyber criminals also warn users that shutting down or restarting a computer might cause damage or data loss. They urge people not to delete or rename the “RyukReadMe.txt” text files.

RYUK developers offer free decryption of two files to prove decryption is possible and in an attempt to give the impression that they can be trusted. To decrypt the remaining data, users must contact them. However, it is recommended that you do not contact the RYUK developers under any circumstances.

Instead, use LANGuardian’s Search by File/Folder Name report to filter any file with the name RyukReadMe.txt

If you have any questions about how to detect RYUK Ransomware or other variants on your network, do not hesitate to contact us and speak with one of our helpful technical support team.